botbuilder-python icon indicating copy to clipboard operation
botbuilder-python copied to clipboard
verified publisher icon microsoft

port: Managed Identity (MSI) + Single Tenant support for Bot apps (#5829)

Open github-actions[bot] opened this issue 4 years ago • 0 comments

The changes in Managed Identity (MSI) + Single Tenant support for Bot apps (#5829) may need to be ported to maintain parity with microsoft/botbuilder-dotnet.

Fixes #5830

Description

  • Enable Azure's Managed Identity (MSI) for bot apps, so that bot authors don't have to manage app secrets.
  • Support for hosting bots as single tenant apps, which enables acquiring AAD access tokens from the bot's host tenant, as opposed to, botframework.com tenant.

Below are the 3 ways a bot app can now be hosted:

1. Multi-Tenant (Default):

{
  "MicrosoftAppId": "",
  "MicrosoftAppPassword": ""
}

2. Single Tenant:

{
  "MicrosoftAppType": "SingleTenant",
  "MicrosoftAppId": "",
  "MicrosoftAppPassword": "",
  "MicrosoftAppTenantId": ""
}

3. Managed Identity (MSI):

{
  "MicrosoftAppType": "UserAssignedMSI",
  "MicrosoftAppId": "",
  "MicrosoftAppTenantId": ""
}

Specific Changes

  • Added classes for Managed Identity credentials management and token acquisition.
  • Updated ConfigurationServiceClientCredentialFactory to instantiate the appropriate credential mechanism (MultiTenant/SingleTenant/MSI) based on appsettings.
  • Added the bot's host tenant as a valid JWT token issuer since the tokens will be issued from the host tenant when using SingleTenant/MSI hosting model. This was done by adding a property to the AuthenticationConfiguration class which would be used in the skills scenarios.
  • Added an overload in PasswordServiceClientCredentialsFactory to accept TenantId which can be used to acquire token using the bot's host tenant for SingleTenant scenario.

Testing

Following scenarios were verified:

1. Bot to Channel scenarios:

  • MultiTenant
  • SingleTenant
  • MSI

2. Bot to bot (skills) scenarios:

MultiTenant SkillSingleTenant SkillMSI Skill
MultiTenant HostY--
SingleTenant Host-YY
MSI Host-YY
NOTE: When one of the bots is MultiTenant, the other cannot be SingleTenant/MSI since the token acquisition by the MultiTenant bot will fail due to not being able to find the SingleTenant/MSI bot resource registered in the `botframework.com` tenant. So, those scenarios are not supported.

Please review and, if necessary, port the changes.

github-actions[bot] avatar Aug 20 '21 21:08 github-actions[bot]